IoT security is at the forefront of everyone’s mind these days due to a huge uptick in DDoS attacks coming from our newly connected devices. So far, we’ve seen DVRs and video cameras fall victim and become mindless drones in a malicious botnet army. After 20 years of partnering with enterprises to build software that deploys inside, outside and around their firewalls, I’ve learned that there are a few basic things we should always include when creating new IoT solutions to protect our creations and our companies.
Here are five things you should do right now to keep you and your company off the list of hacked IoT devices.
Change Default Settings
Every operating system, app server, device or library comes with a set of defaults that are designed to help you secure it. The original vendors created a default account and then published it so that you could easily get set up and started with the product. However, these default accounts were never intended to go into production — you need to change those settings.
Whether it’s the default password for your Wi-Fi router or the pre-loaded Raspbian instance on your Raspberry Pi, you absolutely must change the defaults. Not making this change is leaving an open door for hackers, and embarrassing for you and your organization.
Close Unused Ports
Next up on the security stack is closing unused ports. Every device has a large number of inputs that can be used for unique communications. Whether it’s the internet, email or chat, they all run over different ports. Thankfully, cloud and modem vendors help us with this task with built-in firewalls and security profiles. That said, for those of us making new devices to power the IoT, there is no one providing this protection.
The easiest thing you can do to protect your project is to close all of the ports that your application does not absolutely need. In most cases, modifying a single configuration file can do this. Closing the unused ports is an easy way to make it harder for hackers to get into your device without you knowing.
Don’t Store Information in Plain Text
The majority of applications, whether IoT or mobile, need to store data in memory. Maybe it’s the user profile, a set of preferences, or a security key to restore connections, but in every case, there is the potential to put something in memory that could be used maliciously. While we hope that hackers are never able to access our devices, the very nature of IoT means that we are putting things in the wild to be managed by people who may not be aware of all security vulnerabilities.
When you store data, you should always choose to encrypt it so that another user, application or hacker cannot understand it. Simply having the data in a format that isn’t immediately understandable goes a long way towards keeping your application from being a hackable target.
For businesses: Before you decide to store lots of information about your users, consider whether that information is actually valuable. So many apps have raised their target profile simply by storing things that were of interest to others. If you don’t need geo-location data, don’t store it.